Security problems with drawingarea.php

[daniil-berg]

Sorry to unload like this, but this is my last issue for now...

It seems quite risky to simply output such things as $attemptid, $uniquefieldnameattemptid and $sesskey unfiltered (in the very first script-tag rendered by drawingarea.php). Again, XSS posssibilites come to mind.

Also, the same concerns raised in #6 apply to drawingarea.php.

I hope these (and the other issues raised) help. I am part of a team administrating a fairly large Moodle-based site and we were considering adding this plugin. I thought it best to report the issues that we noticed so far that prevent us from using it, as long as they persist.

Kind regards, Dan

[nexterday]

I'm sorry, but say it again? If I go to google and write a script in the search box, then this is called XSS when a pop up or page dance appears to me? Im afraid XSS is gone too far :)

[larsbonczek]

@nexterday I have to disagree with you here. Can you please elaborate on why you think running arbitrary JS code in another persons browser (by sending them a maliciously crafted link to a trusted site, in this case) is not XSS?